Telecoms.com

news

Operators say RIPA customer record sharing is old news

EE, Vodafone and Three have responded to the story recently published by the Guardian, and followed up by many other media, about the automated sharing of customer call records with law enforcement officers. They insist the practices have been in place for some time to comply with existing law.

The Guardian has reported the three carriers have automated systems in place to handle all information requests made by the police through the Regulation of Investigatory Powers Act (RIPA) 2000. This is apparently in contrast to O2 handling these types of requests manually, through a dedicated in-house team.

RIPA is an act initially designed to regulate public bodies’ powers to carry out surveillance and access individuals’ electronic communications records on national security grounds. The law has many critics, who claim it is excessive and a threat to civil liberties. Some 100,000 information requests are made every year through RIPA, mainly by police forces but also other public authorities, such as councils.

The automated systems used by the three mobile operators allow police officers to retrieve data without any human involvement beyond an initial authorisation by another senior police officer than the one making the request. This involvement of two officers before a request can be made is intended to ensure the RIPA powers are used “only where it is necessary and proportionate,” according to the Home Office.

What is proportionate and when interception of private communications is necessary are highly subjective issues. Civil rights activists have said the automated practice puts in doubt any oversight of the legitimacy of information requests. As reported by the Guardian, some have called for telcos to check every request individually thus allowing for them to be challenged if appropriate.

It seems questionable, though, whether telcos are or should be in a position to make such judgements. Operators are required by law to keep customer call records for a year, and to hand out information to law enforcement officers by request. As operators are compelled to respond to data requests by public bodies, it seems EE, Three and Vodafone have simply taken the view that handling such requests manually is needlessly labour-intensive and opted for an automated process instead.

“We take both our legal obligations and customer privacy seriously,” a Three spokesperson told Telecoms.com. “Three works with the Government and does no more or less than is required or allowed under the established legal framework, which is audited by the Interception of Communications Commissioner. Information on the volume of requests under the Regulatory Investigation Powers Act is published annually by the IoCC.”

“When legally required, our specialist team work with the law enforcement authorities using secure systems and processes to ensure we act lawfully to disclose data in relation to police investigations under the strict controls of RIPA,” EE told Telecoms.com.

“The overwhelming majority of the RIPA notices we receive are processed automatically in accordance with the strict framework set out by RIPA and underpinned by the Code of Practice,” a Vodafone spokesperson told Telecoms.com. “This reduces the risk of human error, while ensuring that all written demands sent to us comply with legal due process. It also creates an effective audit trail for IOCCO [Interception of Communications Commissioner’s Office], which provides another level of oversight.

“Even with a manual process, we cannot look behind the demand to determine whether it is properly authorised. The mechanisms available to government agencies to request information from communications’ companies are reviewed regularly by IOCCO, which also discloses the total number of RIPA notices served each year. We are in the process of evaluating RDHI-compliant systems.”

Asked whether the manual process is laborious to maintain, O2 insisted it isn’t. “No. It allows us to strike the right balance between fulfilling our legal obligations while protecting the rights of our customers,” a spokesperson for O2 told Telecoms.com. “Having human validation and approval of such requests ensures an immediate and personal response while maintaining an appropriate level of control regarding the disclosure of customer data.”

In related news, also reported by the Guardian, it emerged that police’s powers to access journalists’ phone records to discover journalistic sources are set to be curtailed so that in the future police will need a judge’s approval first to do so.

“A free press is fundamental to a free society and the government is determined that nothing is done which puts that at risk,” a Home Office spokesperson told Telecoms.com in a statement. “We have also been working to strengthen the relevant code of practice to ensure extra consideration should be given to a communications data request involving those in sensitive professions, such as journalists. We anticipate that the revised code will be published in draft this autumn and, following a full public consultation, will be laid in Parliament before Christmas.”

Civil liberty campaign group Don’t Spy On Us told Telecoms.com that access to private individual’s records should also warrant judicial approval.

“The Don’t Spy On Us campaign is calling for judicial authorisation before telecoms companies or ISPs are required to hand over their customers private information,” Mike Harris, Director of the campaign told Telecoms.com. “While a lot of the attention has focused on the rights of journalists to protect their sources, it is also the case that lawyers communicating with their clients or human rights activists working with people in dangerous situations, must also be able to communicate securely and privately. Without judicial oversight and substantial reform of RIPA, we fear scandals like this will continue annotate it.”

But the Home Office insisted the current process ensures the proper and proportionate use of private persons’ electronic information. “Communications data is an absolutely critical tool used by police and other agencies to investigate crime, safeguard national security and protect the public. There are measures in place to ensure that police powers to access this data are not abused.”

While it is important to highlight how individuals’ private communications data, or that of journalists, is shared and used, there seems to be no new information behind the latest RIPA outrage. RIPA has been around for over a decade, as have the processes through which mobile operators deal with information requests. While concerns regarding the state’s ability to spy on its citizens are legitimate, the law as it currently stands compels operators to hand over certain data without question. Whether or not this is done manually seems largely irrelevant and even if it wasn’t, operators are ill-qualified to determine the legitimacy of the request.

Websites are now required by law to gain your consent before applying cookies. We use cookies to improve your
browsing experience. Parts of the website may not work as expected without them. By closing or ignoring this
message, you are consenting to our use of cookies.